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CONTROLLED ACCESS SYSTEM AND METHOD 

This invention pertains generally to systems to which access is limited and, 
more particularly, to a system and method for controlling access to such 
systems. 

Examples of systems to which access is limited include computers, files 
5 stored in computers, automated teller machines, and entrances to buildings. 
For convenience, the system to be accessed is sometimes referred to 
generically as the host system, or simply the host, with the understanding that 
it can be any type of system to which access is limited and not just the 
systems enumerated above. 

10 The traditional methods of distinguishing an authorized user from an 
unauthorized user or imposter are by 'something you have", "something you 
are" or "something you know". Each of these methods has its own 
advantages and disadvantages, and two or more of the methods can be 
combined. 

15 A password is a common example of "something you know". Biometric 
measurement devices are one way of verifying "something you are", and 
physical tokens such as ordinary door keys, magnetic cards and cryptographic 
access devices are examples of "something you have". Each of these 
devices has certain limitations and disadvantages. Mechanical keys are 

20 inexpensive and reliable, but they are also easy to copy. Biometric 
measurement devices require elaborate specialized equipment if they are to 
provide high security. Cryptographic devices such as the Security Dynamics 
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"Secure ID" card system can require a special server, and magnetic cards 
require a special reader and can be copied by a "hacked" reader. 

It is in general an object of the invention to provide a new and improved 
system and method for controlling access to a system to which access is 
5 limited. 

Another object of the invention is to provide a system and method of the 
above character which overcome the limitations and disadvantages of 
techniques heretofore employed. 

These and other objects are achieved in accordance with the invention by 
10 storing an encryption code in a small cryptographic key which can be carried 
by a person desiring access to the host, bringing the key into proximity with 
a wireless transceiver connected to the host, transmitting information over a 
wireless communication link between the host and the key, encrypting 
information transmitted from the key to the host in accordance with the 
15 encryption code in the key, decrypting the information received by the host, 
and processing the decrypted information to determine whether access to the 
host is authorized. 

Figure 1 is block diagram of one embodiment of a controlled access system 
according to the invention. 

20 Figure 2 is a block diagram of the cryptographic key in the embodiment of 
Figure 1. 

Figure 3 is an isometric view of the cryptographic key in the embodiment of 
Figure 1 , with the cover open and the components visible on a circuit board 
within the housing or case. 
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Figures 4 - 7 are flow charts illustrating operation of the system with different 
authentication and cryptographic protocols. 

As illustrated in Figure 1. the system includes a host 16 and a cryptographic 
key 1 7. The host is illustrated as a computer having a microprocessor 18 with 
5 a random access memory (RAM) 1 9 for temporarily storing data and operating 
variables, a read-only memory (ROM) 21 for storing system software, a drive 
unit 22 for more permanent storage of software and data, a keyboard 23 and 
a monitor 24. 

The host also includes a transceiver 26 for transferring data and other 
10 information over a wireless communications link between the computer and 
the cryptographic key. That link can utilize any suitable form of 
communication such as infrared, visible light, radio frequency or inductive 
coupling, and in one presently preferred embodiment, an infrared transceiver 
is employed. A number of computers today have infrared transceivers or 
15 ports built into them for transferring data to printers and other peripheral 
devices. By using a standard form of communication such as the Infrared 
Data Association (IrDA) Standards with those ports, secure access can be 
provided to existing computers without requiring any additional hardware to be 
added to them. The transceiver can either be an integral part of the host or 
20 it can be located remotely of the host, possibly even being connected to the 
host through an insecure network. In either case, the key is brought into 
proximity with the transceiver and actuated to exchange information with the 
host. 

In the embodiment illustrated, the cryptographic key has generally rectangular 
25 housing or case 28 of a size which fits easily in the hand or pocket. In one 
present embodiment, it has a width on the order of 1-1/4 inches, a length on 
the order of 2 inches, and a thickness on the order of 1/2 inch. In the 
embodiment illustrated, it is attached to a keychain 29. 
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As illustrated in Figure 2. the cryptographic key includes a central processing 
unit (cpu) 31 , a random number generator 32. RAM 33, ROM 34. non-volatile 
memory 36, input switches 37. and a transceiver 38. The transceiver is 
chosen to match the one in the host, and in the presently preferred 
5 embodiment is an IrDA-compatible infrared transceiver. 

The components of the key are mounted on a circuit board 39 inside the 
housing or case. Those components include a microcontroller 41 which 
contains the microprocessor, memory and registers, a battery 42. switches 37. 
transceiver 38. and a light emitting diode (LED) 43 which indicates the status 
0 of the key. The infrared light source and sensor in the transceiver 
communicate with the host through an infrared transparent window 44 in the 
end wall of the housing opposite the keychain. 

One relatively simple cryptographic protocol which can be employed in the 
invention is authentication of the user by a cryptographic variable or secret 
5 key which is shared between the cryptographic key and the host. The secret 
key can, for example, be a large number (e.g.. 128 bits) which cannot be 
guessed by an attacker without an unfeasibly large, exhaustive search. 

The host has a database of authorized users, which contains a user ID and 
a secret key for each user. As illustrated in Figure 4. the host generates a 

) random number or cipher block R and sends that number as a challenge. 
The key encrypts the number R using the secret key K and sends the 
encrypted number CR back to the host. It also sends its user ID so that the 
host will know which secret key to use. The host then encrypts the number 
R using the secret key K and compares its result with the encrypted number 

> CR received from the key. If the results match, the user is authenticated {i.e., 
determined to be authorized to have access to the host), and access is 
permitted. If not. access is denied. 
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Another authentication protocol which can be utilized is hash-based 
authentication of the user. According to this protocol, the cryptographic key 
and the host both implement a secure has function H(x) such as the NIST 
Secure Hash Algorithm designed for use with the Digital Signature Standard 
5 (HPS PUB 186). Numerous authentication techniques can be based on such 
functions. 

One such technique is the S/key protocol which was designed at AT&T Bell 
Laboratories and is in widespread use on various computer systems. It is 
illustrated in Figure 5. Let HN(n f x) denote the iterated hash function, /.©., the 

10 function H iterated n times. For example, HN(4,x) is the same as 
H(H(H(H(x)))). When a user enrolls in the system, his cryptographic key 
generates or is assigned a secret key K. The host stores an iterated hash of 
K in its database. The number of iterations is a parameter of the 
implementation. For 100 iterations, for example, the host initially stores 

15 HN(100,K) as the user's authentication challenge AC. It also records the 
number n (in this case, 100) in the database. 

To authenticate a user, the host sends the number n to the cryptographic key. 
The cryptographic key computes the response R = HN (n-1 f K) and sends that 
result back to the host. The host verifies that R hashes the stored 
20 authentication challenge, /.a., that H(R) = AC. The host then replaces AC in 
its database with R and replaces n with n-1. When n reaches zero, the user 
must re-enroll in the system with a new K. < 

This approach has the advantage that the host does not need to store secret 
keys. Each new secret key it receives is used once, then discarded. 

25 Another protocol which can be employed to authenticate the user is a digital 
signature algorithm (DSA) ( such as the NIST Digital Signature Algorithm 
described in U.S. Patent 5,231,668 and in FIPS PUB 186. the disclosures of 
which are incorporated herein by reference. According to that algorithm, the 
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cryptographic key contains a secret key KS and a corresponding public key 
KP, which is aiso a cryptographic variable. The host also stores the public 
key. As illustrated in Figure 6, the host generates a random number or 
challenge string R and transmits it to the cryptographic key. That key then 
5 generates a random "salt" string S and concatenates that string with the 
random number R f producing a new string R' which consists of the contents 
of the random number R followed by the contents of the salt string S. It also 
computes the digital signature DSA(R') using its secret key KP. The 
cryptographic key then transmits the digital signature DSA(R') to the host, 
10 along with the salt string S. The host then verifies the signature on the string 
R 1 using the public KP. 

This technique is advantageous in that the cryptographic key needs to hold 
only one secret key, which can be used with as many hosts as desired. 
There is no need for concern about hosts revealing the public keys since 
15 those keys are already public. Even if the host is totally compromised, the 
secret component rests entirely in the cryptographic key and is still secure. 
The salt string prevents a potentially malicious host from gathering legitimate 
signatures on arbitrary strings of its own choosing. 

The secret/public keys can generated be within the cryptographic key by use 
20 of a random number generator, or they can be downloaded from a secure 
host. Generation within the cryptographic key has the advantage that the 
secret key never leaves the cryptographic key, and there is no need to worry 
about security of a generating host. 

The cryptographic key can authenticate a user either by the inputting of an 
25 identifying code (e.g., a PIN) through a keypad or by other means such as a 
biometric sensor to scan a unique feature of the body {e.g., a fingerprint or a 
retinal scan). If desired, the infrared transceiver in the key can be utilized to 
perform the scan as well as to communicate with the host. 
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In addition to authenticating users, the cryptographic key can also transmit a 
stored secret key to the host. This mode makes it convenient to access 
encrypted files on the host without the user having to remember or type a long 
password. There are several ways in which the secret key can be transmitted 
5 to the host. 



One simple approach is to transmit the secret key in unencrypted form. The 
problem with this approach is possible interception of the transmission and 
capture of the secret key by eavesdroppers. With infrared systems, where the 
range of transmission is limited, this technique can be used in low-to-medium 
security applications in typical environments. However, it is probably not 
suitable for use in systems such as RF where the range of transmission is 
greater. 



The protocol for the simple approach is that the host requests the secret key 
from the cryptographic key, and the cryptographic key sends the secret key 
15 to the host. 

Another approach is to transmit the secret key in encrypted form, using a 
public key protocol such as Diffie-Hellman key exchange or the Hughes key 
transmission protocol. This avoids the security problems of the simple 
approach but requires a more powerful microprocessor in the cryptographic 
20 key. Diffie-Hellman key exchange is described in detail in U.S. Patent 
4,200.770, the disclosure of which is incorporated herein by reference. 
However, its use might require the payment of license fees until the patent 
expires. 



Using the Hughes protocol, the transaction proceeds as follows. The host and 
the cryptographic key share a common prime modulus P and generator G, 
similar to those used in Diffie-Hellman key exchange. The modulus P is 
typically between 512 and 1024 bits. The host generates a random number 
Y and computes Y' = GY moc j p j^q host then requests a secret key 
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transfer from the cryptographic key and sends Y' as part of the request. The 
host also calculates a multiplicative inverse Y" 1 so that Y*Y' 1 = 1 mod P. 

The cryptographic key generates a secret random number X and sends Z = 
(Y') x mod P to the host. Since Y' = G Y mod P, this means that Z = (Y') x 
5 mod P = G XY mod P. The cryptographic key also computes K = G x mod P, 
but does not send it. 

The host then computes Z Y ~ 1 mod P. That is the same as K = G x mod P, 

and K is now a secret key shared between the cryptographic key and the 

host. The cryptographic key can now use K to encrypt a stored secret. 

10 Alternatively, a few calculations could be saved by letting K be the secret key 

needed by the host. In this case, X would be reused in different sessions, so 

there would be no need for the cryptographic key to compute G x mod P ©very 
time. 

Another suitable technique is the RSA public key cipher described in U.S. 
1 5 Patent 4,405,829, the disclosure of which is incorporated herein by reference. 
That approach is desirable in that it would require fewer computations by the 
cryptographic key, assuming a low public exponent. However, its use might 
require the payment of license fees until the patent expires. 

For high security applications, the cryptographic key can be provided with a 
20 keypad (not shown) for entry of a PIN or other identifying data which is known 
only to the user. That data can be combined with data stored in the non- 
volatile memory of the key to provide the secret key which is used in the 
various protocols. The requirement for the user to enter a PIN prevents 
unauthorized users from accessing the host with a stolen cryptographic key. 
25 For even greater security, the cryptographic key can be programmed to erase 
the data stored in its internal non-volatile memory if too many incorrect PIN's 
are entered, or if hardware tampering is detected. Entering the PIN through 
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the cryptographic key rather than through the host avoids sending secret 
information over networks which may not be secure. 

For all of the cryptographic variable or key transmission techniques discussed 
above, the transmitted message can be authenticated with digital signatures, 
5 or other means, if desired. 

In addition to authenticating users to a host, the cryptographic key can also 
be used for authenticating hosts to a user using the techniques discussed 
above. This assures a user accessing a remote host through a network that 
no intruder has tampered with the network and substituted his own computer 
0 for the real host. A visual indication as to the success or failure of the 
authentication protocol is provided by the LED in the cryptographic key. 

It is apparent from the foregoing that a new and improved system and method 
have been provided for controlling access to a system to which access is 
limited. While only certain presentfy preferred embodiments have been 
> described in detail, as will be apparent to those familiar with the art, certain 
changes and modifications can be made without departing from the scope of 
the invention as defined by the following claims. 
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CLAIMS 

1. In a system for controlling access to a host: a cryptographic key 
adapted to be carried by a person seeking access to the host, wireless 
communication means for transmitting information between the key and the 
host when the key is held in proximity with a transceiver connected to the 

5 host, means included in the key for encrypting information for transmission to 
the host, and means included in the host for decrypting the information from 
the key and processing the decrypted information to determine whether 
access to the host is authorized. 

2. The system of Claim 1 wherein the wireless communication means 
comprises infrared transceivers included in the host and in the key. 

3. The system of Claim 1 wherein the means for encrypting information 
includes a microprocessor. 

4. The system of Claim 1 wherein the means for encrypting information 
includes a private encryption code in the cryptographic key. 

5. The system of Claim 1 wherein the host comprises a computer, and the 
means for decrypting the information and processing the decrypted 
information comprises a microprocessor within the computer. 

6. In a method of verifying authorization to access a host, the steps of: 
storing an encryption code in a cryptographic key which can be carried by a 
person desiring access to the host, bringing the key into proximity with a 
wireless transceiver connected to the host, transmitting information over a 

5 wireless communication link between the transceiver and the key, encrypting 
information transmitted from the key to the transceiver in accordance with the 
encryption code in the key, decrypting the information received by the host. 
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and processing the decrypted information to determine whether access to the 
host is authorized. 

7. A cryptographic key for obtaining access to a host to which access is 
limited, comprising a body of a size suitable for attachment to a conventional 
key chain, a microprocessor within the body, means within the body for storing 
a cryptographic code, means programming the microprocessor to encrypt 
5 information in accordance with the stored code, and transceiver means carried 
by the body for transmitting encrypted information from the key to the host 
over a wireless communication link. 
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